Scalable, automated security components & services enhanced with blockchain
Our team has decades of cyber security experience in both hacking and building the security infrastructure and operations centers from the ground up at some of the world’s largest ecommerce companies.
RootOwl platform covers a full security stack from hardware, through OS security, application security all the way to network & client security. The modular architecture however allows you to use only the security which you utilize.
This page is a deeper dive into the building blocks of RootOwl platform, however if you want to see even more detailed information, please refer to the white paper.
Attested server hardware
Fundamental server security on Ring -1, -2 and -3 is an often underestimated and undermanaged part of the whole security management. This has become ever more aggravated problem as the black hat hackers are increasingly weaponizing exploits in this cyber territory originally dominated only by state-level actors. If you are building a MVP, you probably don’t need to worry much about it, but we are committed to provide you with an option to deploy or migrate your existing application into an environment with attested hardware for the true 360-degree security.
RootOwl low-level protections include a trusted-execution-environment-based audit for bootloader, hypervisor and firmware integrity. The audit is resistant against cold-boot attacks and largely other side-channel attacks through an attestation against a single-blind secret Hyperledger Fabric (hosted by The Linux Foundation) ledger chaincode where only the peers store the correct value of the boot integrity checksum. To further prevent a reply-attacks, BCM exploits or a MITM attacks, the scan is merged with a counter, a stack of previously submitted audits which are signed with a CPU-embedded secret key. This audit is also resistant against denial of service through a dead-man-switch mechanism on the single-blind secret ledger.
If the protection of BIOS/UEFI and BCM such as Intel Management Engine is a relevant and important to your business, we provide open-source mitigations as well as RootOwl secure cloud servers where both the BIOS/UEFI and BCM are configured for the absolutely minimum attack surface.
Hardened operating system
Hardened operating system is one of the best ways to prevent your application from suffering a critical security vulnerability caused by system zero-day exploits, bugs or even misconfigurations. Majority of people wish for security by using old kernels with distros like CentOS, but conservatiness doesn’t stand for a good security. The average life-span of kernel bugs is ~6 years and many of the critical bugs happen in distros with older kernels. On the other hand, 90-99% of kernel bugs can be actively prevented on distros with new kernels from causing security impact through kernel hardening measures. Yet, few companies harden their systems because it’s a complex, time demanding process. To bring sense to OS security,we pre-harden a Ubuntu server and make it available on RootOwl secure cloud.
The kernel hardening includes a large set of patches and configurations. The list below is only a part of the whole solution, so please refer to the white paper or the documentation for more info.
As NSA hacking team puts it - most hacking isn’t about exploits zero-days, it’s about knowing the target IT infrastructure better than the target admins. Poor configuration is a very common reason for data breaches. We harden your chroot, USB policy, firewall and enforce strict role-based access control to enforce a minimum privilege policy and a process compartmentalization. We also intend to leverage our unique mutually-authenticated blockchain identity to further harden the access to & administration of the server.
System kernel itself is protected with a series of patches from grsecurity and PaX among others. These serve as a crucial defense against most common bug classes (such as stack smashing, buffer overflows or stack exhaustion) and largely prevent privilege escalation.
The last and possibly more potent line of defense is our blockchain-based system integrity attestation audit, which runs a complete scan of file system & permissions. It can detect any unauthorized file modification, illegal file creation as well as configuration integrity in RAM. The master results are not stored locally and are instead reported in a single-blinded way to a chaincode on a private ledger so that only the blockchain smart contract can determine system integrity. This integrity audit is resistant to MITM and replay attacks through a use RootOwl enhanced identity and use of SGX/TXT which protects the crypto-material and primitives from higher privilege attackers.
RootOwl platform provides up to 4 layers of independent data protections. The used operating system utilizes a full-disk encryption to prevent physical theft or data leakage for example through a poorly executed hardware disposal process.
Separating databases into a data layers also enables the databases to encrypt data at rest. This protection is further enforced with kernel hardening and sandboxing measures, which prevent unauthorized processes from taking over access to the databases or decryption keys.
The RootOwl mutually authenticated enhanced identity also enables the use of a client-side data encryption security components. The client-side SDKs manage the cryptographic material and the encryption of selected customer-centric data at rest and even end-to-end in transit via simple APIs.
The last element to data security are the data backups and disaster recovery. RootOwl company platform includes an optional component to perform remote backups. You simply activate a new secure node by deploying our virtual machine, bind both source and destination servers to your blockchain-based identity and account, and the backups are good to start.
Application security services
Applications are the backbone of almost every business. Many companies move fast and break things to become the first app of a kind on the market while other are building extremely complex and thought-through groups of applications and services. No matter which of these you build, a poor security can bring down all your effort. Protecting applications of all kinds from the widest range of attacks is at the core of what we do.
RootOwl platform provides you with a full set of application security components covering your needs for availability, integrity, secrecy, privacy and non-repudiation. You can use our configuration panel to choose the right mix of components and their parameters.
Setting up load-balancer is a matter of installing a new node, dedicating it as a load balancer and binding the load-balancing and load-balanced server to your blockchain-based identity and account. We will also work with 3rd party partners to provide CDN & anti-DDoS services via the RootOwl marketplace.
The nodes natively include a hardened web-server with a well-configured web application firewall to protect your application against with XSS, SQLI, CSFR and other malicious data flows.
Knowing the bad guy from the good guy is the foundation of security. This is where RootOwl mutually authenticated blockchain-based identity delivers an unprecedented level of assurance and protection for all applications. It works as an independent service and it can be used for both the access control of admins and application end-users. This identity authentication includes multiple factors which make it completely resistant to phishing and other man-in-the-middle attacks, cloning, copying and malicious use by malware, keyloggers and fraudulent botnets. It’s also dynamic over time so potential compromises are quickly detected and it allows for a complete recovery from a possible breach at minimum to no costs.
Finally, the application can tap into secure communication services. We provide 3 distinct types of communication options. A traditional TLS for browser compatibility, an verified E2E connection for app & thick clients and a privacy-centered OTR protocol for apps & thick clients.
Distributed ledger technologies such as blockchain have a great business potential for small and large companies through introducing a true digital ownership, tokenization of assets and ability to create democratic communities and marketplaces. We leverage our experience in rebuilding hyperledger fabric to enable a simpler use of the distributed ledgers for any business via simple commands.
Our hyperledger-derived ledgers include 3 pre-built chaincode REST APIs for:
1.public ledgers for democratic and universally accessible unrestricted information for all RootOwl participants
2.detached & isolated ledger for the use within a customer environment. These also increase the control and ensure the regulatory or certification compliance
3.single-blind secret ledgers where applications and unauthorized peers have no access to read the data and are used for security attestations
The ledger security is greatly enhanced with our multi-factor, mutually-authenticated accountable identity, which can then be used in web-of-trust-style digital signatures and active man-in-the-middle detection mechanisms
The enhanced identity, digital signatures and web of trust functions are themselves designed as independent security services (components) and are accessible to developers for use in their applications to secure admins, IOT as well as end-users.
RootOwl platform includes SDKs and open design so that any developer can easily secure his or her client apps across all the platforms. The client SDKs are mostly the necessary counterpart functions to the security components used at the server node and they include an embedded hot wallet for management of identity & cryptographic material, multi-layer mutual authentication & signing utility, client-data encryption engine, interfaces for the secure communication protocols and a layer for a local data encryption at rest.